Slashdot Mirror

← Back to Stories (view on slashdot.org)

Typing Patterns for Authentication

Posted by CowboyNeal on from the no-one-touches-like-you dept.

Kelson writes "NPR's Marketplace is reporting on a new authentication scheme. BioPassword tracks the way you type your password: how long each key is depressed, the time between keystrokes, and overall speed. When someone tries to log into your account, it compares the pattern to what it has on file. It only allows you in if both the password and patterns match. The technique has been around a while. World War II Morse code operators used it to determine whether a message was sent by an ally or an impostor."

14 of 259 comments (clear)

  1. Bad Idea by dynamo · · Score: 4, Insightful

    This will make it possible for a change of mood to deny your access to your own accounts. ..which will probably not help with the mood thing.

    1. Re:Bad Idea by arth1 · · Score: 2, Insightful

      Well, don't be so truthful! Give them made-up information instead. Ideally, you should have a different "Mother's maiden name" and "city of birth" for each service you use; that way, if any one gets compromised, all the others are safe.

      The problem with that is remembering all the different answers.
      To be honest, I don't see a good solution to the problem that people are required to remember more and more passwords. I would think that most people either pick the same passwords for most things, or store the passwords on their primary machine. In the first case they're screwed if the password is compromised just one place, and in the latter, they're screwed if they can't access their primary machine.
      And, no, I don't think biometrics is the answer either. You can't change your biometric data, and if someone gets ahold of it, you are then compromised for the rest of your life.

      A good authentication system should IMO be:

      1: Quick and easy to use.
      2: Location-independent. With the same authentication being used regardless of location of user or device.
      3: Near impossible to break.
      4: Maintenance free for the user.
      5: Mutable. It should be possible to change the key or invalidate it.
      6: High robustness. The user having a fever or a laptop being stolen shouldn't make it impossible or even harder to use.
      7: Have possibility for escrow with user's consent.
      8: Not require a user to remember one or more passwords for each place he authenticates against. Nor a master password that can compromise all other passwords.
      9: Transparent and documented. No black box.

      Surgically implanted key ring in your head? We're not there yet...
  2. No Soup For ... me? by mindlessLemming · · Score: 4, Insightful

    Great, now every time I fall off my bike or some other stupid accident that involves my hands, I won't be able to log in at all due to not matching the timing/pressure/etc. I can definitely see this ending in smashed keyboards. "It's me!!! Let me in you b@st@rd machine!"

  3. Re:Fist by OECD · · Score: 5, Insightful

    Oy. So now it makes a difference if I'm using my own computer or not? Or if I'm eating a bagel while logging in? Or if I have a hangover? Because my typing pattern is going to be different in each case.

    --
    One man's -1 Flamebait is another man's +5 Funny.
  4. Not very accurate for real world use by Jimmy+King · · Score: 2, Insightful

    I read about this semi-recently (as in within the last year) and at that point the recognition based on the actual keystroke timing was pretty poor. With only 2 or 3 people they could tell who it was something like 90% of the time if I remember right. It got considerably worse as there were more people to recognize.

    Now, you could possibly argue that it only needs to be able to recognize 1 person or at most 2, you and "not you", as once it determines it is not you the system does not care about the specific identify. Still, until they get that number to 100% it's going to be more hassle than it's worth, especially at a place with a 3 attempt lockout policy or the like.

  5. Nothing To See Here, Move Along by mmurphy000 · · Score: 4, Insightful

    I'm beginning to think we're going to have to work up a check-off-the-problems sheet for these new authentication schemes like we pass around for anti-spam "solutions".

    Here, I see two problems off the cuff:

    1. If it thinks you're not typing the password the same way, "it will ask some additional security questions". Hence, this is not significantly different than the cookie-based or IP-address based solutions used by some banks, where you need only a password if you're coming from a familiar PC and need to answer more questions if you're not. Phishers can just let the password-typing fail and fall back to collecting the answers to the security questions and break in that way.
    2. It'll only be reliable for people who use the same keyboard all the time. I know I type differently when I'm on my home PC (natural keyboard) vs. an office PC (flat keyboard) vs. my PDA (thumbboard). Particularly the way I type with two thumbs bears little resemblance to the way I touch-type. Now, it's possible they'll track different typing profiles, but eventually the profiles will grow to cover just about any typing pattern...

    Color me unimpressed. Is it an incremental improvement over plain passwords? Yes, but not enough to go with a $34,000 plus $1.15/user fee structure, as cited in the article.

    --
    The Busy Coder's Guide to Android Development
    1. Re:Nothing To See Here, Move Along by Michael+Woodhams · · Score: 4, Insightful

      Furthermore, if the software can detect the password cadence, so can an appropriately programmed keylogger.

      Almost all security is a tradeoff against usability. This one looks like a bad trade - you lose lots of usability for only a small increase in security.

      --
      Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
  6. Seems like it would not work as I learn my passwd by rminsk · · Score: 5, Insightful

    When I first create a new password I typically stumble just a bit when typing it. After a few days/weeks I start building up motion memory for my password. How would the system handle when people impove typing their password?

  7. Re:Sharing Secrets by Anonymous Coward · · Score: 4, Insightful

    Never, EVER, give your wife your password! What the heck are you smoking?!?!

  8. Re:Fist by Rakishi · · Score: 2, Insightful

    and after I answer them the 20th time I'd say "fuck you" and either disable the system or use a service that doesn't have it.

  9. Re:Sharing Secrets by LordSnooty · · Score: 2, Insightful

    Agreed. Everything might be hunky-dory now, but what will the future hold? The bank can easily solve this by providing the wife with her own logon account, then attaching the various bank accounts she has authority over. At the very least it will maintain a proper audit trial, if the relationship went bad and the wife used the husband's logon to empty all the accounts, could he prove that it wasn't him who did the deed?

  10. Re:Sharing Secrets by Kidbro · · Score: 2, Insightful

    sharing a simple piece of information that can be changed at any time with someone you have no good reason to be keeping secrets from

    I can think of several people that could know the password after that telephone conversation, some of which the people having the conversation won't even know exist. One of many reasons to never share your password with anyone is that in the act of sharing it you expose it to potential (untrusted) snoopers, even if you trust the intended recipient.
    Frankly, the whole argument was probably the poorest I've seen against the proposal. "I don't want a security system that ensures I'm me since I want other people to be able to fake being me." That's just plain nonsense.

    --
    May we live long and die out
  11. not for web apps, I assume by poot_rootbeer · · Score: 2, Insightful

    How useful is this method going to be when it can't be used with web-based applications?

    For one, how's the web browser going to obtain that keystroke timing info and pass it on to the host? A Javascript implementation would be trivial to circumvent. And an ActiveX-like implementation would be a security risk.

    For another, what about stored passwords? I may use an identifiable cadence when typing in a new password for the first time, but if I choose to let my browser store that password, it's going to subsequently get pasted in at the speed of

    strcpy()
    . How many false negatives will this cause?

  12. Re:Whatever! by ajs318 · · Score: 2, Insightful

    And it's kind of cool to have a Christmas every week.
    That's as maybe; but it's not so cool having a January statement every month, though .....
    --
    Je fume. Tu fumes. Nous fûmes!